Recently, India’s Drone Rules 2021 superseded the Unmanned Aerial Systems (UAS) Rules to obliterate various norms in order to promote the drone industry. However, the proposed rules do not address privacy concerns.
The Draft Rules, 2021, do not even make a mention of the word ‘privacy’. This is appalling, especially since in the UAS Rules 2021, there was a particular obligation as per Rule 27(h) on authorised unmanned aircraft system operators to safeguard the privacy of a person and its property during operation.
The fact that the proposed rules allow the Union and State governments access to drone data all the time, it is quintessential to ask how that data will be used.
What transpires in a scenario when the company that stores data from the drones also captures and processes data for its own independent purposes? Such indispensable questions do not find space in the latest drone rules.
India’s Drone Regulations: Privacy Taking a Back Seat
While privacy is recognised as a constitutionally protected right, we do not have legal safeguards against the potential misuse of personal data. The Personal Data Protection Bill, 2019, is yet to be notified as a law.
Earlier, the Aircraft Rules, 1937, read with the Civil Aviation Requirements, 2018 (CAR) were used to regulate the drones. The CAR is used to ensure that the privacy of any individual is not compromised in any manner without expounding on the privacy standards.
In March 2021, the provisions related to drone regulation in the Aircraft Rules, 1937, read with the CAR, were replaced by the UAS Rules.
The UAS Rules required the drone operator to ensure the privacy of property and person while operating a drone and proscribed the third parties from sharing the data recorded by third parties unless explicit consent is obtained from the data subjects. However, the UAS Rules used to offer all-encompassing discretion on privacy and data protection to the data operator.
In July 2021, the government published the Draft Drone Rules, 2021, to repeal the cumbersome UAS Rules. However, neither the Draft Drone Rules, 2021 nor the Drone Rules, 2021 mentioned the protection of data collected or, for that matter, privacy even once in the rules.
In India, drones are the latest entrants to the debate on privacy caused by new technologies. During the recent Farmer’s protests and anti-Citizenship Amendment Act protests, the use of drones has raised the old concern of the use of technology for mass surveillance.
Similarly, the Brihanmumbai Municipal Corporation and Mumbai police relied on drones to detect lockdown violations in residential areas such as Dharavi and Andheri. Similar projects were seen across Kerala and in Hyderabad as the former even hired private citizens to operate drones as part of the surveillance efforts.
The video footage recorded by drones in Kerala was even directly transmitted to the phones of local data. In the past, India’s drone regulations have been accused of showing false piety to the issue of privacy.
The Draft drone guidelines released in 2016 and 2017 did not mention serious issues like safety concerns, privacy, and legal liabilities. However, the 2018 drone regulations took a more progressive stand as they required the operators of drones to be “liable to ensure that privacy norms of any entity are not compromised in any manner” prescribed under the Operating Requirements.
This control was mentioned without any protections against data breaches.
Major Implications for Data Privacy
Even after assuming that the drones are used after conforming to the existing domestic regulations for the use of drones in India, it still has significant implications for data privacy.
In fact, the Hungarian Data Protection Authority has recommended legislation around the use of drones as drones have data protection implications.
Drones can be very invasive due to their capacity to collect data about everything in their field of vision, which is unusually wide. The ‘footage’ collected by drones to monitor would be considered ‘personal data’ as per Section 3(28) of the PDP Bill 2019, as the people would be ‘directly identifiable’ with the footage collected.
Further, it would constitute ‘sensitive personal data’ as well under Section 3(36) given the potential misuse of footage on facial recognition software, which may constitute ‘biometric data’.
Such footage can reveal the political affiliation of a person and can also be used to reveal further sexual orientation, intersex status, religious belief, transgender status, tribe, caste, etc. Such categories are safeguarded as ‘sensitive personal data’ under the PDP Bill.
Recording such data using drones constitutes ‘processing’ as per Section 3(31) of the PDP Bill. The consent of the data principal must be explicitly obtained as per Section 11(3) of the PDP Bill in case any sensitive personal data is processed.
‘Explicit consent’ threshold requires that apart from the consent being informed, specific, free, and capable of being withdrawn, it must be obtained after notifying the data principal of the purpose of such data processing and its likely significant harms in clear terms.
It would be practically impossible to conform to this high standard of obtaining ‘explicit consent’ from the people in large gatherings. Therefore, using drones in large gatherings or a wide area will be impermissible under the PDP Bill.
Also, using Section 35 of the PDP Bill, 2019 will not be easy for the Central government to exempt the government agencies from the provisions of the PDP Bill. The same will require reasons to be recorded in writing with procedures, oversight mechanisms, and safeguards to be specified applicable to the exempted government agencies under the PDP Bill.
In November 2020, the Civil Aviation Ministry floated a discussion paper for an unmanned aircraft system traffic management (UTM) policy to secure and automate drone operations. However, the paper was silent on the blanket immunities available to government bodies from conforming to the provisions under the PDP Bill in safeguards around data processed by law enforcement agencies.
This is significant as the government can use drones for mass surveillance exercises. The discussion paper offers no relief to it. The government has deployed drones over protestors several times.
Also, the government is already exempted from obeying conforming to the provisions to the privacy bill under the guise of “public order” under Section 12(f) of the Bill.
Passing the Three-Fold Test for Restraints on Privacy
While government agencies may rely on exemptions from data protection laws and drone rules, the data processing by the drones must conform to the three-fold test for restraints on privacy laid down in the case of Justice KS Puttaswamy v. Union of India.
The government agencies must satisfy the requirements of legality, necessity, and proportionality to their objectives irrespective of the exemptions obtained from any legislation.
This will require for the government to show that the restriction is backed by legislation; second, there is a legitimate state aim behind the restriction; third, there is a rational relationship between the restriction made and the purpose behind such restriction; and fourth, that the State has chosen the ‘least restrictive’ measure to achieve the objective.
However, the government’s use of drones for surveillance is unfounded in legislation. In addition to it, there is nothing to suggest that they represent the least restrictive measures available.
Despite all the benefits associated with using drones equipped with cameras, one cannot simply turn a blind eye to the blanket surveillance using drones. It is imperative to question whether such usage of drones in India violates the right to privacy, especially when India’s Drone Rules 2021 do not mention the word ‘privacy’ at all.
Kshitij Goyal is a B.A., LL. B (Hons.) student at the National Law School of India University (NLSIU), Bangalore. This is an opinion piece, and the views expressed are the author’s own. The Quint neither endorses nor is responsible for them.)